CN116522411A

CN116522411A - Mirror image signature verification method, application creation method, device, equipment and medium

Info

Publication number: CN116522411A
Application number: CN202310524442.5A
Authority: CN
Inventors: 李祥哲; 赵建星; 樊建刚
Original assignee: Jingdong Technology Information Technology Co Ltd
Current assignee: Jingdong Technology Information Technology Co Ltd
Priority date: 2023-05-10
Filing date: 2023-05-10
Publication date: 2023-08-01

Abstract

The embodiment of the invention discloses a mirror image signature verification method, an application creation method, a device, equipment and a medium, relating to the technical field of computers, wherein the mirror image signature verification method comprises the following steps: responding to a signature verification request, determining a mirror image label of a mirror image to be verified, and requesting signature information of a mirror image corresponding to the mirror image label from a mirror image warehouse service; receiving the signature information returned by the mirror image warehouse service, and carrying out signature verification on the signature information to generate a verification result; and sending the verification result to a container management platform, so that the container management platform pulls the mirror image corresponding to the mirror image tag from mirror image warehouse service and creates the application corresponding to the mirror image locally under the condition that the verification result is successfully verified. The technical scheme of the embodiment of the invention can ensure the validity of the mirror image pulled by the container management platform from the mirror image warehouse service.

Description

Mirror image signature verification method, application creation method, device, equipment and medium

Technical Field

The embodiment of the invention relates to the technical field of computers, in particular to a mirror image signature verification method, an application creation device and a medium.

Background

Docker Content Trust (DCT, container content trust mechanism) provides the ability to use digital signatures on image files uploaded and downloaded from a remote image repository service to ensure the integrity of the image file and the trustworthiness of the publisher. DCT enables the signing and verification of clients, which can only be performed by a Docker client.

For the container management platform, the image is directly pulled from the image warehouse service in the application creation process, and the signature verification function of the dock client cannot be used, so that the pulled image can be legal or illegal.

In carrying out the invention, the inventors have found that at least the problems in the prior art are: the container management platform cannot guarantee the legitimacy of the images it pulls from the image repository service.

Disclosure of Invention

The embodiment of the invention provides a mirror image signature verification method for ensuring the legality of a mirror image pulled by a container management platform from a mirror image warehouse service.

In a first aspect, an embodiment of the present invention provides a method for verifying a mirror image signature, where the method includes:

responding to a signature verification request, determining a mirror image label of a mirror image to be verified, and requesting signature information of a mirror image corresponding to the mirror image label from a mirror image warehouse service;

Receiving the signature information returned by the mirror image warehouse service, and carrying out signature verification on the signature information to generate a verification result;

and sending the verification result to a container management platform, so that the container management platform pulls the mirror image corresponding to the mirror image tag from mirror image warehouse service and creates the application corresponding to the mirror image locally under the condition that the verification result is successfully verified.

In a second aspect, an embodiment of the present invention further provides an application creation method for a container management platform, including:

generating a signature verification request in response to a container creation request, and sending the signature verification request to a signature verification module, so that the signature verification module executes the mirror image signature verification method described in any embodiment;

under the condition that the verification result output by the signature verification module is successful in corresponding verification, pulling the mirror image corresponding to the mirror image tag from mirror image warehouse service;

and creating the application corresponding to the mirror image locally.

In a third aspect, an embodiment of the present invention provides a device for verifying a mirror image signature, where the device includes:

the request module is used for responding to the signature verification request, determining a mirror image label of the mirror image to be verified and requesting signature information of the mirror image corresponding to the mirror image label to the mirror image warehouse service;

The verification module is used for receiving the signature information returned by the mirror image warehouse service and carrying out signature verification on the signature information to generate a verification result;

and the sending module is used for sending the verification result to a container management platform so that the container management platform can pull the mirror image corresponding to the mirror image tag from the mirror image warehouse service and create the application corresponding to the mirror image locally under the condition that the verification result is successfully verified.

In a fourth aspect, an embodiment of the present invention provides an application creation apparatus for a container management platform, the apparatus including:

the calling module is used for responding to the container creation request to generate a signature verification request and sending the signature verification request to the signature verification module so that the signature verification module executes the mirror image signature verification method in any embodiment;

the mirror image pulling module is used for pulling the mirror image corresponding to the mirror image tag from the mirror image warehouse service under the condition that the verification corresponding to the verification result output by the signature verification module is successful;

and the application creation module is used for locally creating the application corresponding to the mirror image.

In a fifth aspect, an embodiment of the present invention provides an electronic device, including:

One or more processors;

a memory for storing one or more programs;

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a mirrored signature verification method or an application creation method for a container management platform as provided by any embodiment of the invention.

In a sixth aspect, an embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, where the program is executed by a processor to implement the image signature verification method as provided in any embodiment of the present invention, or the application creation method for a container management platform as provided in any embodiment.

The embodiments of the above invention have the following advantages or benefits:

according to the technical scheme of the mirror image signature verification method provided by the embodiment of the invention, the signature verification operation of the corresponding mirror image is triggered according to the signature verification request to obtain a verification result, and the verification result is sent to the container management platform, so that the container management platform determines whether to continue pulling the mirror image from the mirror image warehouse service according to the verification result; the technical effect of signature verification on the corresponding mirror image before the container management platform pulls the mirror image from the mirror image warehouse service is achieved. The security of application creation is greatly improved.

Drawings

FIG. 1 is a schematic flow chart of a method for verifying a mirror image signature according to an embodiment of the present invention;

FIG. 2 is a flowchart of a further image signature verification method according to an embodiment of the present invention;

FIG. 3 is a flowchart illustrating a further image signature verification method according to an embodiment of the present invention;

FIG. 4 is a flowchart illustrating a further image signature verification method according to an embodiment of the present invention;

FIG. 5 is a flow chart of an application creation method for a container management platform provided by an embodiment of the present invention;

FIG. 6 is a schematic diagram of a mirror image signature verification device according to an embodiment of the present invention;

FIG. 7 is a schematic structural diagram of a mirror image signature verification device according to an embodiment of the present invention shown in FIG. 6;

fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.

The term "container management platform" as disclosed herein is a tool or platform for automated deployment, extension, and management of containerized applications. Such as a management platform based on the docker container technology. Typically representing a container cluster management system with kubernetes (K8S for short, google open source), amazon Amazon Elastic Container Service (AmazonECS, container management service for amazon).

The term "container" as disclosed herein is an executable unit of software whose application code is packaged together with libraries and dependencies in a generic way so that it can run anywhere on a desktop, traditional internet or cloud. It takes advantage of Operating System (OS) virtualization, where the functionality of the operating system is used to isolate processes and control the amount of CPU (central processing unit), memory and disk that these processes have access to.

The term "mirror," as disclosed herein, is a form of file storage that is a lightweight, executable, stand-alone software package used to package software operating environments and software developed based on the operating environments. It contains all the content needed to run a certain software, including code, libraries, environment variables, configuration files, etc.

The term "image repository service" as disclosed herein may be understood as an image repository, primarily for storage, management and distribution of images. Each mirror repository may contain multiple mirrors, with different mirrors being distinguished by mirror labels. Wherein the image tag can be understood as version information of the image. One mirror may be configured with at least one mirror tag.

Fig. 1 is a flowchart of a method for verifying a mirror image signature according to an embodiment of the present invention, where the embodiment may be applied to a case where a container management platform performs signature verification on a mirror image before pulling the mirror image from a mirror image repository service. The method may be performed by an integrated mirrored signature verification apparatus, which may be implemented in software and/or hardware. As shown in fig. 1, the method specifically includes the following steps:

s110, responding to the signature verification request, determining the image tag of the image to be verified, and requesting the signature information of the image corresponding to the image tag from the image warehouse service.

Wherein the signature information can be used to prove the identity of the image. The mirror image to be checked is the mirror image which needs to be subjected to signature checking, namely the mirror image which needs to verify the signature information.

The signature verification request is generated by the container management platform based on the application creation request and is sent to the signature verification plug-in. The signature verification request carries a mirror label. Therefore, under the condition that the signature verification request is detected, the corresponding mirror image label is determined, and the mirror image label is used as the mirror image label of the mirror image to be verified.

In one embodiment, the container management platform, upon receiving an application creation request through a set application programming interface, extracts a mirror label from the application creation request based on a set hook function; a signature verification request is generated based on the mirrored signature request and sent to a signature verification module (signature verification plug-in). The signature verification module responds to the signature verification request to determine an image tag, and pulls a corresponding image from the image warehouse service based on the image tag.

In one embodiment, the mirror warehouse service is set to: under the condition that the image label is received, traversing all images, determining the image corresponding to the image label, and sending the signature information of the image to a signature verification plug-in.

In one embodiment, the mirror warehouse service is set to: if the number of the images corresponding to the image tag is greater than or equal to 2, outputting prompt information for indicating that the signature information is not unique to the signature verification plug-in; the signature verification plug-in sends the prompt to the container management platform, which suspends the image pull operation and thus also the container creation operation.

S120, receiving signature information returned by the mirror image warehouse service, and carrying out signature verification on the signature information to generate a verification result.

The signature verification is to verify whether the signature information is generated by setting a signature mode.

The verification result may be verification success or verification failure. If the verification is successful, the corresponding mirror image is legal and safe; if the verification fails, the corresponding image is illegal and unsafe.

After receiving the signature information returned by the mirror image warehouse service, carrying out signature verification on the signature information by adopting a pre-stored secret key so as to obtain a verification result.

In one embodiment, the container management platform is a K8S cluster management platform. After the image is encrypted by the image publisher through the client, the client stores the key in a set storage location, such as a CI (Continuous Integration, persistent integration) pipe. The user copies the key of the needed mirror image from the CI pipeline to the setting configuration file of the signature verification plug-in advance; or the signature verification plug-in is configured to directly read the key corresponding to the mirror label from the CI pipeline.

In one embodiment, the image publisher signs the image to be published using a client based on a common signature to obtain a signed image, and after the signature is completed, stores a public key for verifying the image signature in the CI pipeline. In this embodiment, the signature verification plug-in will read the public key for verifying the common image signature information from the CI pipeline in advance, so that in the case that the image signature information verification is required, the read public key is directly used for verifying the common image signature information. Or the signature verification plug-in periodically reads the public key for verifying the common mirror image signature information from the CI pipeline, so that under the condition that the mirror image signature information is required to be verified, the read public key is directly used for verifying the mirror image signature information.

In one embodiment, the present embodiment may also verify the signature information of the image generated by using other signature methods, for example, a notary method.

S130, sending the verification result to the container management platform, so that the container management platform pulls the mirror image corresponding to the mirror image label from the mirror image warehouse service and creates the application corresponding to the mirror image locally under the condition that the verification result is successfully verified.

And if the verification result is that the verification is successful, sending feedback information for indicating that the verification is successful to the container management platform. And the container management platform pulls the corresponding mirror image from the mirror image warehouse service according to the feedback information, and deploys the mirror image locally, namely, creates an application corresponding to the mirror image locally. If the verification result is that the verification fails, sending feedback information for indicating that the verification fails to the container management platform; and the container management platform outputs prompt information for indicating that signature verification fails according to the feedback information, and simultaneously suspends the current application creation operation.

In one embodiment, the verification result includes a verification identification and a mirror label. The contracted check mark '1' indicates that the check is successful, and the check mark '0' indicates that the check fails. After receiving the verification result, the container management platform extracts a verification mark and a mirror image label from the verification result, and if the verification mark is 1, pulls a mirror image corresponding to the mirror image label from a mirror image warehouse service; if the verification mark is 0, outputting prompt information for indicating that the signature verification fails.

According to the technical scheme of the mirror image signature verification method provided by the embodiment of the invention, the signature verification operation of the corresponding mirror image is triggered according to the signature verification request to obtain a verification result, and the verification result is sent to the container management platform, so that the container management platform determines whether to continue pulling the mirror image from the mirror image warehouse service according to the verification result; the technical effect of signature verification on the corresponding mirror image before the container management platform pulls the mirror image from the mirror image warehouse service is achieved. The legality of the container management platform pulling mirror image is greatly improved, and the safety of application creation is improved.

Fig. 2 is a flowchart of a method for verifying a mirror image signature according to an embodiment of the present invention. This embodiment is a further refinement of the signature verification step in the previous embodiment. As shown in fig. 2, the method includes:

s210, responding to a signature verification request, determining a mirror image label of a mirror image to be verified, and requesting signature information of the mirror image corresponding to the mirror image label to a mirror image warehouse service.

S2201, receiving signature information returned by the mirror image warehouse service, and determining a mirror image label corresponding verification strategy according to the corresponding relation between the pre-created mirror image label and the verification strategy.

Wherein the verification policy includes a key. In one embodiment, the verification policy is a public key certificate containing a public key. Wherein the public key is used to authenticate the digital signature.

In order to improve the speed and accuracy of signature verification, in this embodiment, a configuration file is created in advance. The configuration file is used for storing the corresponding relation between the mirror image label and the verification policy. The configuration file is convenient for a user to add a new corresponding relation between the image label and the verification policy at any time, delete useless image labels and verification policies from the new corresponding relation, and modify the verification policy corresponding to a certain image label.

In one embodiment, the configuration file includes at least two subfiles configured to store a correspondence of the image tag of the corresponding type of image with the verification policy. The at least two subfiles correspond to different priorities, and the signature verification plug-in sequentially accesses the at least two subfiles according to the set priority order. The sub-file A is used for storing the corresponding relation between the mirror image label of the necessary mirror image and the verification strategy; the subfile B is used for storing the corresponding relation between the image label of the optional image and the verification policy. Still another exemplary, the subfile C is configured to store a correspondence between a mirror label of a common mirror and a verification policy; the subfile D is used for storing the corresponding relation between the mirror image label of the very used mirror image and the verification policy. One of the images belongs to a common image and also belongs to a very common image, and the image use probability of the set area is determined. The setting area may be an area corresponding to a local area network, or may be in a unit or a department.

And under the condition that signature information returned by the mirror image warehouse service is received, the signature verification plug-in locates a mirror image label corresponding to the signature information and a verification strategy corresponding to the mirror image label in the configuration file.

S2202, signature verification is carried out on the signature information by adopting a verification strategy to generate a verification result.

And carrying out signature verification on the signature information by adopting the verification strategy. The signature information is subjected to signature verification by adopting a secret key included in a verification strategy to obtain a verification result.

And S230, sending the verification result to the container management platform, so that the container management platform pulls the mirror image corresponding to the mirror image label from the mirror image warehouse service and creates the application corresponding to the mirror image locally under the condition that the verification result is successfully verified.

According to the embodiment of the invention, the verification strategy corresponding to the mirror image label is rapidly and accurately determined according to the corresponding relation between the mirror image label and the verification strategy, so that the determination speed of the verification strategy is improved.

Fig. 3 is a flowchart of a method for verifying a mirror image signature according to an embodiment of the present invention. This embodiment is a further refinement of the signature verification step in the previous embodiment. As shown in fig. 3, the method includes:

S3101, responding to the signature verification request, and determining the mirror image label of the mirror image to be verified.

S3102, determining the mirror image warehouse service identification of the mirror image warehouse service where the mirror image corresponding to the mirror image label is located and the verification policy corresponding to the mirror image label according to the pre-created corresponding relation among the mirror image label, the mirror image warehouse service identification and the verification policy.

The container management platform may include at least two mirror repository services, such as a public mirror repository service, a private mirror repository service, and the like. The image required for the application to be created is stored in one of the at least two image repository services.

In one embodiment, a configuration file is provided. The configuration file is configured with a corresponding relationship among the mirror image label, the mirror image warehouse service identifier and the verification policy. After the mirror image label is determined, the mirror image warehouse service identification and the verification strategy corresponding to the mirror image label can be determined according to the corresponding relation between the mirror image label and the mirror image label.

In one embodiment, the signature verification plug-in is provided with a query module, the query module periodically sends newly-added mirror image query information to each mirror image warehouse service, and under the condition of receiving the newly-added mirror image information returned by any mirror image warehouse service, the mirror image label of the newly-added mirror image is determined according to the newly-added mirror image information; acquiring a corresponding key from a set key storage position according to the mirror image tag; and adding the mirror image label, the mirror image warehouse service identifier corresponding to the mirror image label and the secret key corresponding to the mirror image label to the corresponding position of the configuration file respectively.

In one embodiment, the configuration file includes sub-configuration files corresponding to each mirror repository service. I.e. the configuration information of the images stored in the different image repository services is written in different sub-configuration files. Each sub-profile is configured with a different priority. The signature verification plug-in comprises a verification unit, and the verification module queries the mirror image warehouse service identification and the verification strategy corresponding to the mirror image label from each sub-configuration file in sequence according to the set priority order.

S3103, requesting the signature information of the mirror image corresponding to the mirror image label from the mirror image warehouse service corresponding to the mirror image warehouse service identifier.

After the image warehouse service identifier is determined, the signature information of the image corresponding to the image warehouse service request corresponding to the image reference service identifier can be directly obtained. Compared with the method for requesting the signature information of the corresponding mirror image from each mirror image warehouse service in sequence, the method can improve the acquisition speed of the signature information.

S320, receiving signature information returned by the mirror image warehouse service, and carrying out signature verification on the signature information by adopting a verification strategy to generate a verification result.

S330, sending the verification result to the container management platform, so that the container management platform pulls the mirror image corresponding to the mirror image tag from the mirror image warehouse service and creates the application corresponding to the mirror image locally under the condition that the verification result is successfully verified.

According to the embodiment of the invention, the mirror image warehouse service identification and the verification policy corresponding to the mirror image label are rapidly and accurately determined according to the corresponding relation among the mirror image label, the mirror image warehouse service identification and the verification policy, so that the determination speed of the verification policy is improved.

Fig. 4 is a flowchart of a method for verifying a mirror image signature according to an embodiment of the present invention. The present embodiment further refines the verification result in the foregoing embodiment. As shown in fig. 4, the method includes:

s410, responding to the signature verification request, determining the image tag of the image to be verified, and requesting the signature information of the image corresponding to the image tag from the image warehouse service.

S420, receiving signature information returned by the mirror image warehouse service, and carrying out signature verification on the signature information to generate a verification result.

S4301, requesting the abstract of the mirror image corresponding to the mirror image label from the mirror image warehouse service under the condition that the verification result is successful.

Wherein the digest may be understood as a content-based cryptographic hash value. In one embodiment, the cryptographic hash value is determined based on SHA256 (cryptographic hash function), and SHA256 generates a hash value of 256 bits for any length of content object, typically represented by a hexadecimal string of length 64.

Therefore, the abstract is calculated according to the mirror image content, and the modification of each mirror image layer or the modification of the mirror image content can change the mirror image abstract; or if the abstract corresponding to one image changes, the image is changed.

S4302, sending the abstract to a container management platform, so that the container management platform pulls the mirror image corresponding to the abstract from the mirror image warehouse service, and completing local deployment of the mirror image to generate a corresponding application.

The signature verification plug-in requests the abstract of the image corresponding to the image tag from the image warehouse service only when verification passes, so the abstract can be regarded as an identification of the passing of the signature verification.

The signature verification plug-in sends the digest to the container management platform. When receiving the abstract, the container management platform defaults that the corresponding mirror image of the application to be created passes signature verification, so that the corresponding mirror image is pulled from the mirror image warehouse service according to the abstract. Because the abstract of the mirror image corresponds to the mirror image content one by one, the security of mirror image pulling can be improved by pulling the mirror image based on the abstract of the mirror image.

After the mirror image signature is successfully checked, the embodiment of the invention requests the abstract of the corresponding mirror image from the mirror image warehouse service, and the abstract of the mirror image is in one-to-one correspondence with the mirror image content, so that the abstract is sent to the container management platform, the container management platform pulls the corresponding mirror image from the mirror image reference service according to the abstract, and the legality of pulling the mirror image by the container management platform can be improved.

Fig. 5 is a flowchart of an application creation method of a container management platform according to an embodiment of the present invention, where the embodiment may be applicable to a case where the container management platform pulls an image for creating an application from an image repository service. The method may be performed by an application creation means integrated in the container management platform, which means may be implemented in software and/or hardware. As shown in fig. 5, the method specifically includes the following steps:

s510, generating a signature verification request in response to the container creation request, and sending the signature verification request to a signature verification module, so that the signature verification module executes the mirror image signature verification method described in any embodiment.

In one embodiment, the signature verification module is implemented as a signature verification plug-in that can be invoked directly by the container management platform.

In one embodiment, the container management platform, upon receiving an application creation request through a set application programming interface, extracts a mirror label from the application creation request based on a set hook function; a signature verification request is generated based on the mirrored signature request and sent to a signature verification module (signature verification plug-in). Wherein the set hook function may be a MutatingWebhook (modified hook function).

S520, pulling the mirror image corresponding to the mirror image label from the mirror image warehouse service under the condition that the verification result output by the signature verification module is successful in corresponding verification.

In one embodiment, the verification result includes a contract identification code. For example, "1" indicates successful signature verification, and "0" indicates failed signature verification. If the verification result is '1', the signature verification of the mirror image corresponding to the mirror image label is successful, namely the mirror image corresponding to the mirror image label is legal, so that the mirror image corresponding to the mirror image label is directly pulled from the mirror image warehouse service. If the verification result is "0", the signature verification of the mirror image corresponding to the mirror image label fails, namely the mirror image corresponding to the mirror image label is illegal, so that prompt information for indicating that the mirror image verification fails is output. Namely, the container management platform only pulls the corresponding mirror image from the mirror image warehouse service under the condition that the container management platform receives the identification for representing that the signature verification is successful, so that the legality of mirror image pulling is improved, and the safety for creation and operation is improved.

In one embodiment, the verification result includes provisioning information, e.g., a "digest" indicates that the signature verification of the image was successful, and a "0" indicates that the signature verification of the image was failed. In this embodiment, the container management platform determines that the image corresponding to the image tag has passed the signature verification when receiving the verification result including the "digest", and thus pulls the corresponding image from the image repository service directly according to the digest. And under the condition that the container management platform receives the check result comprising 0, judging that the corresponding mirror image of the mirror image label fails to pass the signature check, and outputting prompt information for indicating that the mirror image check fails. In the embodiment, the container management platform pulls the corresponding mirror image from the mirror image warehouse service according to the abstract only under the condition that the verification result comprising the abstract is received, so that the purpose of improving the legality of the pulled mirror image by combining signature verification with the mirror image abstract is realized, and the safety of application creation is improved.

S530, creating the application corresponding to the mirror image locally.

After the container management platform pulls the mirror image, the mirror image is checked by setting a verification function, for example, whether the format of the mirror image is legal or not and whether the related value is valid or not is checked. Illustratively, checking whether the necessary field is filled, checking whether the string format is correct, etc.; if the format of the image is illegal or the related value is invalid, the deployment of the image is prevented; and if the format of the mirror image is legal and the related value is valid, allowing the deployment of the mirror image, and after the deployment is completed, solidifying the state parameters of the mirror image into a storage system to complete the creation of the corresponding application.

According to the technical scheme provided by the embodiment of the invention, before the mirror image is pulled, the container management platform performs signature verification on the corresponding mirror image through the signature verification module; and only when the verification result fed back by the signature verification module is successfully verified, pulling the corresponding mirror image from the mirror image warehouse service. The method helps to ensure the legitimacy of the mirror image pulled by the container management platform, thereby improving the security of the created application.

The following is an embodiment of a mirror image signature verification device provided by the embodiment of the present invention, which belongs to the same inventive concept as the mirror image signature verification method of the above embodiments, and details of the embodiment of the mirror image signature verification device, which are not described in detail, may be referred to in the foregoing embodiments.

Fig. 6 is a schematic structural diagram of a mirror image signature verification device according to an embodiment of the present invention. As shown in fig. 6, the apparatus includes:

a request module 610, configured to determine a mirror image tag of a mirror image to be verified in response to a signature verification request, and request signature information of a mirror image corresponding to the mirror image tag to a mirror image warehouse service;

the verification module 620 is configured to receive the signature information returned by the mirror warehouse service, and perform signature verification on the signature information to generate a verification result;

and the sending module 630 is configured to send the verification result to a container management platform, so that the container management platform pulls the image corresponding to the image tag from the image warehouse service and creates the application corresponding to the image locally when the verification result is successfully verified.

In one embodiment, the verification module 620 is specifically configured to:

determining a corresponding verification strategy of the mirror image label according to a corresponding relation between the pre-established mirror image label and the verification strategy;

and carrying out signature verification on the signature information by adopting the verification strategy to generate a verification result.

In one embodiment, the request module 610 is specifically configured to:

Determining a mirror image warehouse service identifier of a mirror image warehouse service where a mirror image corresponding to the mirror image label is located and a verification policy corresponding to the mirror image label according to a corresponding relation among a pre-created mirror image label, the mirror image warehouse service identifier and the verification policy;

requesting the signature information of the mirror image corresponding to the mirror image tag from the mirror image warehouse service corresponding to the mirror image warehouse service identifier;

the verification module 620 is specifically configured to:

In one embodiment, the sending module 630 is specifically configured to:

under the condition that the verification result is successful, requesting the abstract of the mirror image corresponding to the mirror image tag from the mirror image warehouse service;

and sending the abstract to a container management platform so that the container management platform pulls the mirror image corresponding to the abstract from the mirror image warehouse service, and completing local deployment of the mirror image to generate a corresponding application.

In one embodiment, the verification policy 620 includes a public key that is previously obtained from a set key storage location.

The device for verifying the image signature provided by the embodiment of the invention can execute the method for verifying the image signature provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the method for verifying the image signature.

Fig. 7 is a schematic structural diagram of a mirror image signature verification device according to an embodiment of the present invention. As shown in fig. 7, the apparatus includes:

a calling module 710, configured to generate a signature verification request in response to the container creation request, and send the signature verification request to a signature verification module, so that the signature verification module performs the image signature verification method according to any one of the preceding claims 1 to 6;

the mirror image pulling module 720 is configured to pull a mirror image corresponding to the mirror image tag from a mirror image warehouse service when the verification corresponding to the verification result output by the signature verification module is successful;

and the application creation module 730 is configured to create the application corresponding to the image locally.

In one embodiment, the calling module 710 is specifically configured to:

in response to a container creation request, invoking a predefined hook function to determine a mirror label in the container creation request;

and generating a signature verification request according to the mirror image tag.

According to the technical scheme provided by the embodiment of the invention, before the mirror image is pulled, the container management platform performs signature verification on the corresponding mirror image through the signature verification module; and only when the verification result fed back by the signature verification module is successfully verified, pulling the corresponding mirror image from the mirror image warehouse service. The security of mirror pulling is improved, so that the security of the created application and the security of the operation of the container management platform are improved.

The application creation device of the container management platform provided by the embodiment of the invention can execute the application creation method of the container management platform provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of executing the application creation method of the container management platform.

Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. Fig. 8 shows a block diagram of an exemplary server 12 suitable for use in implementing embodiments of the present invention. The server 12 shown in fig. 8 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.

As shown in fig. 8, the server 12 is in the form of a general purpose computing device. The components of server 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, a bus 18 that connects the various system components, including the system memory 28 and the processing units 16.

Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

Server 12 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by server 12 and includes both volatile and nonvolatile media, removable and non-removable media.

The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. The server 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 8, commonly referred to as a "hard disk drive"). Although not shown in fig. 8, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. The system memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of the embodiments of the invention.

A program/utility 40 having a set (at least one) of program modules 42 may be stored in, for example, system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods of the embodiments described herein.

The server 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with the server 12, and/or any devices (e.g., network card, modem, etc.) that enable the server 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Also, the server 12 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, via a network adapter 20. As shown, network adapter 20 communicates with the other modules of server 12 via bus 18. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with server 12, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.

The processing unit 16 executes various functional applications and data processing by running a program stored in the system memory 28, for example, implementing the steps of the image signature verification method provided by any of the embodiments of the present invention, the method including:

Of course, it will be appreciated by those skilled in the art that the processor may also implement the technical solution of the application creation method of the container management platform provided in any embodiment of the present invention, where the method includes:

and creating the application corresponding to the mirror image locally.

The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the image signature verification method as provided in any of the foregoing embodiments of the present invention, the method comprising:

Of course, it will be appreciated by those skilled in the art that the program, when executed by a processor, implements the technical solution of the application creation method of the container management platform provided in the foregoing embodiments of the present invention, where the method includes:

and creating the application corresponding to the mirror image locally.

The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium may be, for example, but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

Computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).

It will be appreciated by those of ordinary skill in the art that the modules or steps of the invention described above may be implemented in a general purpose computing device, they may be centralized on a single computing device, or distributed over a network of computing devices, or they may alternatively be implemented in program code executable by a computer device, such that they are stored in a memory device and executed by the computing device, or they may be separately fabricated as individual integrated circuit modules, or multiple modules or steps within them may be fabricated as a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.

Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims

1. A method for verifying a mirror signature, the method comprising:

2. The method of claim 1, wherein said signature verification of said signature information to generate a verification result comprises:

3. The method according to claim 1, wherein the requesting signature information of the corresponding image of the image tag from the image repository service includes:

the step of performing signature verification on the signature information to generate a verification result includes:

4. The method according to claim 1, wherein the sending the verification result to the container management platform, so that the container management platform pulls the mirror image corresponding to the mirror image tag from the mirror image warehouse service if the verification result is successful, includes:

5. A method according to claim 2 or 3, wherein the verification policy comprises a public key, the public key being obtained in advance from a set key storage location.

6. An application creation method for a container management platform, comprising:

generating a signature verification request in response to a container creation request, and sending the signature verification request to a signature verification module, so that the signature verification module executes the mirror image signature verification method according to any one of the preceding claims 1 to 5;

and creating the application corresponding to the mirror image locally.

7. The method of claim 6, wherein generating a signature verification request in response to a container creation request comprises:

8. A mirror image signature verification apparatus, comprising:

9. An application creation apparatus for a container management platform, comprising:

a calling module for generating a signature verification request in response to a container creation request and transmitting the signature verification request to a signature verification module, so that the signature verification module executes the mirror image signature verification method according to any one of the preceding claims 1 to 6;

10. An electronic device, the electronic device comprising:

One or more processors;

a memory for storing one or more programs;

when executed by the one or more processors, causes the one or more processors to implement the mirrored signature verification method of any one of claims 1-5 or the application creation method for a container management platform of claim 6 or 7.

11. A computer readable storage medium having stored thereon a computer program, characterized in that the program when executed by a processor implements the image signature verification method according to any one of claims 1 to 5 or the application creation method for a container management platform according to claim 6 or 7.